Dear Debian Maintainers, Please note percona-xtrabackup < 2.3.6 && < 2.4.5 is vulnerable to a Chosen-Plaintext attack when running xbcrypt to encrypt backups.
Backup plaintext data can be retrieved in this manner without the original password. We have blogged about the fix for the issue here https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly <https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly> and our packages are available with the fix in place. Please note the version as per https://packages.debian.org/search?keywords=percona-xtrabackup <https://packages.debian.org/search?keywords=percona-xtrabackup> (2.2.3-2.1). Is vulnerable to this attack and I would encourage you to check the code changes here: https://github.com/percona/percona-xtrabackup/pull/266 <https://github.com/percona/percona-xtrabackup/pull/266> https://github.com/percona/percona-xtrabackup/pull/267 <https://github.com/percona/percona-xtrabackup/pull/267> ( If the intent is to backport the fix rather than jump the version ). Cheers David David Busby, CISSP, Information Security Architect, Percona skype: Ascrethy office: +1-919-794-5190 <> Shropshire, UK. GMT (UTC) GPG: 5422AA2AB636DA5A https://keybase.io/oneiroi <https://keybase.io/oneiroi> Our Services: https://www.percona.com/services.html <http://www.percona.com/services.html> Our Blog: https://www.percona.com/blog <https://www.percona.com/blog>
signature.asc
Description: Message signed with OpenPGP using GPGMail
